QUESTION: 1 Which of the following audit findings would have the least impact (either positive or negative) on a department's control environment?
A. The department makes long-term investment risk decisions to maximize return on investment. B. The department manager sets and demonstrates a tone of honesty and integrity in all business dealings. C. any department functions are duplicated or verified by other department employees. D. Deficiencies were found in the appropriate authorization of transactions.
Answer: A
QUESTION: 2 According to the Standards, which of the following best describes the concept of due professional care?
A. Internal auditors must apply the diligence and skill expected of a reasonably prudent and …show more content…
competent internal auditor. B. Internal auditors must possess the knowledge, skills, and other competencies needed to perform their audit responsibilities. C. Internal auditors must have sufficient knowledge to identify fraud. D. Internal auditors must refrain from participating in an engagement when they lack sufficient knowledge, skills, and competencies to assess the audit area fully.
Answer: A
QUESTION: 3 Which of the following is not true with regard to the internal audit charter?
A. It defines the authorities and responsibilities of the internal audit activity. B. It specifies the minimum resources needed for the internal audit activity. C. It provides a basis for evaluating the internal audit activity. D. It should be approved by senior management and the board.
Answer: B
QUESTION: 4 In assessing the independence of the internal audit activity, a member of a peer review team should consider all of the following factors except
2
CIA-I
A. Access to and frequency of communications with the board of directors or its audit committee. B. The criteria of education and experience considered necessary when filling vacant positions on the audit staff. C. The degree to which auditors assume operating responsibilities. D. The scope and depth of engagement objectives for the audit engagements included in the review.
Answer: B
QUESTION: 5 To enhance the independence of both the internal and external audit functions, audit committees should be composed of
A. A rotating subcommittee of the board of directors or its equivalent. B. A combination of external members of the board of directors and company officers. C. Members from all important constituencies, specifically including representatives from banking, labor, regulatory agencies, shareholders, and officers. D. Only external members of the board of directors or other similar oversight committees.
Answer: D
QUESTION: 6 According to the Standards, the organizational status of the internal audit activity
A. Must be sufficient to permit the accomplishment of its audit responsibilities. B. Is best when the reporting relationship is direct to the board of directors. C. Requires the board's annual approval of the audit schedules, plans, and budgets. D. Is guaranteed when the charter specifically defines its independence.
Answer: A
QUESTION: 7 An employee who recently transferred into the internal audit activity has been assigned to audit the accounts payable system. Which function, if previously performed by the auditor, would represent a conflict of interest?
A. Monitoring the allowance for doubtful accounts. B. Writing procedures for the handling of duplicate payments.
3
CIA-I
C. Signing timekeeping cards for subordinates. D. Reviewing shipping documents for accuracy.
Answer: B
QUESTION: 8 Two individuals are being considered for an audit team that is to perform a highly technical review. Which of the following situations would preclude selection of the individual for the audit due to an objectivity concern? I. Person A is a member of the internal audit staff and has the required technical skills. Person A participated in a controls review of the system to be audited when it was being developed. II. Person B is a technical specialist who understands the audit area but is not a member of the internal audit staff. Although person B has personal credibility in the information systems department to be audited, person B works for another department in the organization.
A. I only. B. II only. C. Both I and II. D. Neither I nor II.
Answer: D
QUESTION: 9 Management asked the internal audit activity to evaluate the appropriateness of selfinsuring against casualty losses and health care for the organization's employees. Should the chief audit executive engage an actuarial consultant to assist in the audit engagement if these skills do not exist on staff?
A. No, because the internal audit activity is skilled in assessing controls and the insurance control concepts are not distinctly different from other control concepts. B. No, because it is a normal audit function to assess risk; this audit engagement is therefore not unique. C. Yes, because an actuarial consultant is essential to determine whether the health-care costs are reasonable. D. Yes, because an actuarial consultant has skills, not usually found in the internal audit activity, to identify and quantify self-insurance risks.
Answer: D
4
CIA-I
QUESTION: 10 Which of the following would be the best source of information for a chief audit executive to use in planning future audit staff requirements?
A. Discussions of audit needs with executive management and the audit committee. B. Review of audit staff education and training records. C. Review of audit staff size and composition of similar-sized companies in the same industry. D. Interviews with existing audit staff.
Answer: A
QUESTION: 11 Which of the following steps would not be included in a program of selecting and developing human resources for an internal audit department? A. Scheduling periodic meetings with individual auditors, during which the chief audit executive provides counsel regarding each auditor's performance and professional career development. B. Establishing an internal review team to assess the auditors' and audit department's compliance with standards, level of audit effectiveness, and compliance with departmental policy. C. Developing specific job descriptions for audit staff, audit managers, and other auditing positions. D. Establishing in-house training programs and requiring continuing education for audit …show more content…
staff.
Answer: B
QUESTION: 12 To ensure that due professional care has been taken during an audit engagement, an internal auditor should always
A. Ensure that all financial information related to the engagement is included in the audit plan and examined for irregularities. B. Document all audit tests completely. C. Consider the possibility of noncompliance or irregularities at all times during an engagement. D. Notify the audit committee of any noncompliance or irregularity discovered during an engagement.
Answer: C
5
CIA-I
QUESTION: 13 According to the Standards, which of the following must an internal auditor take into consideration when performing an assurance engagement of treasury operations? I. The audit committee has requested assurance of the treasury department's compliance with a new policy on the use of financial instruments. II. Treasury management has not instituted any risk management policies. III. Due to the recent sale of a division, the amount of cash and marketable securities managed by the treasury department has increased by 350 percent. IV. The external auditors have indicated some difficulties in obtaining account confirmations.
A. I and II only B. I and IV only C. I, II, and III only D. II, III, and IV only
Answer: C
QUESTION: 14 To promote a positive image within an organization, a chief audit executive (CAE) adjusted the audit plan to focus on assurance engagements that highlighted potential costs to be saved. Negative observations were to be omitted from engagement final communications. Which action taken by the CAE would be considered a violation of the Standards? I. The focus of the audit function was changed without modifying the audit charter or notifying the audit committee. II. Negative observations were omitted from the engagement final communications. III. Cost savings and recommendations were highlighted in the engagement final communications.
A. II only B. I and II only C. I and III only D. I, II, and III
Answer: B
QUESTION: 15 In selecting an instructional strategy for developing internal audit staff, a chief audit executive should first review the
6
CIA-I
A. Department's budget constraints B. Internal auditors' personal development needs C. Content of potential training courses D. Organization's objectives.
Answer: D
QUESTION: 16 Continuing Professional Education (CPE) hours for Certified Internal Auditors may be achieved by
A. Attending audit staff meetings B. Verifying that all completed audit tests are fully documented. C. Publishing an article on the company's internal audit department. D. Obtaining experience on the job.
Answer: C
QUESTION: 17 Which of the following activities is designed to provide feedback on the effectiveness of an internal audit function? I. Proper supervision. II. Proper training. III. Internal assessments IV. External assessments
A. I, II, and III only B. I, II, and IV only C. I, III, and IV only D. II, III, and IV only
Answer: C
QUESTION: 18 An internal quality assessment of the internal audit activity should provide the chief audit executive with
A. Recommendations for improvement B. Objectives for internal audit engagements
7
CIA-I
C. Confirmation of action on past audit recommendations D. Appraisals of internal audit staff performance
Answer: A
QUESTION: 19 In publicly held companies, management often requires the internal audit activity's involvement with quarterly financial statements that are made public and used internally. Which of the following is generally not a reason for such involvement?
A. Management may be concerned about its reputation in the financial markets. B. Management may be concerned about potential penalties that could occur if quarterly financial statements are misstated. C. The Standards state that internal auditors should be involved with reviewing quarterly financial statements. D. Management may perceive that having quarterly financial information examined by the internal auditors enhances its value for internal decision making.
Answer: C
QUESTION: 20 Risk assessments can vary in format, but generally include I. A description of identified risks. II. Tests of audit controls III. A system of rating risks IV. Sample size identification
A. I and II only B. I and III only C. I, III, and IV only D. II, III, and IV only
Answer: B
QUESTION: 21 An organization receives the most value from an internal audit activity's enterprise-wide risk assessment when the auditor
A. Focuses primarily on enterprise-level risks B. Considers activities at all levels of the organization
8
CIA-I
C. Reviews special projects and new initiatives D. Validates supporting financial and operational data
Answer: B
QUESTION: 22 Internal auditors who are concerned with potential risks due to the mishandling of records or transactions should take into consideration
A. The type and nature of the activities to be examined B. Whether employees in key positions of trust are bonded C. The history of losses suffered by the company D. The results of prior risk assessments
Answer: A
QUESTION: 23 A chief audit executive (CAE) used an electronic spreadsheet to facilitate the risk assessment process for a number of different divisions. The spreadsheet included the following factors Complexity of operations Competence of divisional personnel Dollar amount of accounts where management's judgment can affect the expense. The CAE used a group meeting of audit managers to reach a consensus on the competence of divisional personnel. Other factors were assessed as high, medium, or low risk by either the CAE or an audit manager who had audited the division. The CAE weighted each factor and computed a composite risk score. Which of the following statements is correct regarding this risk assessment process?
A. The risk analysis would not be appropriate because it mixes both quantitative and qualitative factors. B. Assessing factors at discrete levels, such as high, medium, and low, is inappropriate for the risk assessment process because the ratings are not quantifiable. C. The weighting is subjective and should have been determined through a process such as multiple regression analysis. D. Using a subjective group consensus to assess personnel competence is appropriae.
Answer: D
QUESTION: 24 Which of the following is a risk factor that a chief audit executive should consider when prioritizing audit work schedules? I. Quality of internal control II. Management competence
9
CIA-I
III. Time of last audit engagement IV. Degree of change or organizational stability
A. I and III only B. I, II, and IV only C. II, III, and IV only D. I, II, III, and IV
Answer: D
QUESTION: 25 A company has entered into a $20,000,000 fixed-price contract with a general contractor for the construction of a new retail outlet. For this contract, which of the following would represent the greatest risk?
A. Excessive labor charged to the project B. Poor physical protection of materials and equipment C. Failure to complete the project within budget D. Substitution of inferior materials
Answer: D
QUESTION: 26 The chief audit executive for an organization has just completed a risk assessment process, identified the areas with the highest risk, and assigned an audit priority to each. Which of the following statements is true and consistent with the International Professional Practices Framework? I. Items should be ranked in the order of quantifiable dollar exposure to the organization. II. The audit priorities should be in order of major control deficiencies. III. The risk assessment, though quantified, is the result of professional judgments about both exposures and probability of occurrences.
A. I only B. III only C. II and III only D. I, II, and III
Answer: B
QUESTION: 27
10
CIA-I
All of the following would normally be involved in preparing for and carrying out the internal audit activity's annual plan except
A. Establishing policies and procedures for workpapers and referencing B. Providing periodic activity reports to the audit committee on audit engagements in progress C. Assessing the amount of risk in major departments D. Training audit staff on appropriate audit methodologies for addressing any newly identified risks.
Answer: A
QUESTION: 28 Responsibility for the coordination of internal audit and external audit efforts should be documented in the
A. Engagement work schedule B. Internal audit charter C. Internal assessment report D. Internal audit activity's strategic plan
Answer: B
QUESTION: 29 Internal auditors can benefit from a strong relationship with the external auditors because external auditors can
A. Provide internal auditors with an independent and knowledgeable viewpoint B. Concur with the internal auditors' reports and thus improve the quality of assurance provided to management C. Increase the effectiveness of internal control sampling techniques D. Assist the internal auditor by providing information obtained from similar audits with other clients
Answer: A
QUESTION: 30 Coordinating internal and external audit efforts can help reduce the amount of time that the external auditors are on site at an organization because the external auditors can
11
CIA-I
A. Copy audit findings from internal audit reports to create the external audit report B. Rely on work performed by the internal audit activity C. Use risk and control analysis provided by the internal audit activity to guide testing for the external audit staff D. Focus on high-risk areas only, as long as an internal audit function exists Answer: B
QUESTION: 31 Using the internal audit department to coordinate regulatory examiners' efforts is beneficial to the organization because internal auditors can
A. Influence regulatory interpretation of law to better match corporate practice B. Recommend changes to the scope of the regulatory examiners' review C. Perform fieldwork for the regulatory examiners and thus shorten the regulatory examiners' review D. Supply evidence of adequate compliance testing through internal audit workpapers and reports
Answer: D
QUESTION: 32 If the annual audit plan does not allow for adequate review of compliance with all material regulations affecting the company, the internal audit activity should
A.
Ensure that the regulations that were not included be reviewed in the subsequent year B. Include a memo in the audit planning file listing the reasons for the lack of coverage. C. Notify the board of directors and senior management of the limitation D. Decrease the scope of operational and financial audits to make additional audit time available
Answer: C QUESTION: 33 Which of the following statements, if true, could justify an auditor's decision not to report governance-related control deficiencies to the audit committee?
A. Management plans to initiate corrective action B. The board of directors has a separate corporate governance committee C. The amounts and the potential risks associated with the deficiencies are not material to the overall organization. D. Governance issues are complex and the auditor should rely on management's analysis of the extent of the problem
12
CIA-I
Answer: C
QUESTION: 34 The primary purpose for the chief audit executive's communication of the internal audit activity's plans and resource requirements to senior management and the board is to
A. Identify internal audit engagement scope limitations B. Indicate future internal audit staffing needs C. Highlight the internal audit activity's view of significant risk areas D. Ensure that the work of the internal audit activity supports the organization's objectives
Answer: D
QUESTION: 35 In a well-developed management environment, the internal audit activity would
A. Report the results of audit engagements to line management as well as to senior management B. Conduct regularly scheduled audits of existing systems and initial audits of new computer systems after they have begun operating. C. Interface primarily with senior management, minimizing interactions with line managers who are the subjects of internal audit work. D. Focus on the maintenance of accounting controls (such as segregation of the duties of authorization, recording, and custody) and report results to the audit committee
Answer: A
QUESTION: 36 According to the International Professional Practices Framework, which of the following describes a key objective of the risk management process that would also be a key responsibility of the internal audit activity?
A. Determine the level of risk acceptable to the organization, including the acceptance of risks designed to accomplish the organization's strategic plans. B. Design and implement risk mitigation activities to reduce risk to levels that have been determined to be acceptable. C. Receive periodic reports of the results of the risk management processes. D. Conduct ongoing monitoring activities to periodically reassess risk and the effectiveness of the controls to manage risk.
13
CIA-I
Answer: D
QUESTION: 37 Which of the following represents the most effective governance structure? Operating Executive Internal Management Management Auditing I. Responsibility for risk Oversight role Advisory role II. Oversight role Responsibility for risk Advisory role III. Responsibility for risk Advisory role Oversight role IV. Oversight role Advisory role Responsibility for risk
A. I. B. II. C. III. D. IV.
Answer: A QUESTION: 38 The internal audit activity's role in the risk assessment and management processes of an organization is determined by the
A. Board of directors B. Chief audit executive C. Risk management department D. External auditors
Answer: A
QUESTION: 39 An organization's chief audit executive (CAE) has been asked to monitor and report on any violations of the organization's code of conduct. The CAE should
A. Review and adjudicate all complaints B. Lead the committee responsible for the oversight of the code C. Develop specific procedures to ensure that the code is clearly communicated to all employees D. Participate in an advisory capacity on the committee that adjudicates any violations
Answer: D
14
CIA-I
QUESTION: 40 The primary objective of risk-based auditing is to assess the
A. Economy of controls B. Compliance with controls C. Adequacy of controls D. Efficiency of controls
Answer: C
QUESTION: 41 Which of the following would be most relevant regarding the internal control environment?
A. Assessing controls over computerized applications B. Documenting the organizational structure C. Comparing and validating internal performance with external benchmarking D. Maintaining and reviewing detailed financial records
Answer: B
QUESTION: 42 Which of the following would provide the best assessment of an organization's ethical climate?
A. Number of years that directors have been appointed to the board B. Evidence of training provided to the board of directors on ethical issues. C. Clarity and consistency of consequences imposed by the board of directors for ethical violations D. Frequency of fraud reported and results of subsequent investigations
Answer: C
QUESTION: 43 When reviewing management reports to the board of directors, the internal audit activity should
A. Evaluate the process used to prepare the management reports.
15
CIA-I
B. Maintain supporting documentation for the management reports. C. Tie all financial numbers in the reports to the general ledger D. Compare to prior-period reports for consistency.
Answer: A
QUESTION: 44 What role, if any, should the internal audit activity have in the process of following up on observations and recommendations made by the external auditors?
A. The internal audit activity should have no role in this process in order to ensure independence. B. The internal audit activity should become involved only if the chief audit executive has sufficient evidence that the follow-up is not occurring. C. The internal audit activity should review the adequacy and effectiveness of management's follow-up actions. D. The internal audit activity should become involved only if specifically requested by management or the board of directors.
Answer: C
QUESTION: 45 Which of the following elements should an auditor recommend for inclusion in an organization's code of ethics? I. Ethics should vary with local customs in the organization's foreign operations. II. Whistle-blowing should be discouraged because it can cause distrust among employees and false accusations which waste organizational resources on investigations. III. Ethical behavior should not be incorporated into performance evaluations because it is too subjective and controversial.
A. I only B. II only C. I, II, and III D. None of the above
Answer: D
QUESTION: 46 A tax consultancy agency retains sensitive personal information regarding its clients. Which of the following is a violation of acceptable privacy practices?
16
CIA-I
A. Copies of printed client information not used by the agency are shredded B. Employees share client information with coworkers with the permission of the client C. The agency only releases client information with management's approval D. The agency advises clients of their privacy rights before they commence business with the agency
Answer: C QUESTION: 47 Noncompliance with which of the following would cause a control deficiency related to privacy protection practices? I. An organization's internal privacy policies II. Financial accounting standards III. Privacy laws and regulations IV. The Standards
A. I and III only B. II and IV only C. II, III, and IV only D. I, II, III, and IV
Answer: A
QUESTION: 48 During a review of data center physical security and environmental controls, an auditor should ensure that I. Visitors are accompanied by authorized personnel at all times II. Only developers and operators have access to the data center III. Fire suppression equipment is tested periodically IV. Fire and water detectors have been installed
A. I and III only B. II and IV only C. I, III, and IV only D. II, III, and IV only
Answer: C
QUESTION: 49 Which of the following is most likely to be an element of an effective compliance program?
17
CIA-I
A. The internal audit activity is assigned responsibility for overseeing the program. B. The program is communicated to employees in a video format on a one-time basis. C. The organization uses monitoring systems designed to detect improper activity. D. The organization obtains as much information as possible when performing background checks on employees.
Answer: C
QUESTION: 50 Which of the following statements is correct regarding corporate compensation systems and related bonuses? I. A bonus system should be considered part of the control environment of an organization and should be considered in formulating a report on internal control. II. Compensation systems are not part of an organization's control system and should not be reported as such III. An audit of an organization's compensation system should be performed independently of an audit of the control system over other functions that impact corporate bonuses.
A. I only B. II only C. III only D. II and III only
Answer: A
QUESTION: 51 Which statement most accurately describes risk assessment?
A. It is a tool for determining the relative impact of one process on another. B. It is a model used by analysts to determine organizational exposure. C. It is the quantitative and qualitative evaluation of exposures. D. It is the amount of inherent risk in a separately identifiable business entity or transaction.
Answer: C QUESTION: 52 Risk within an internal audit engagement is defined as the
A. Probability that a balance or class of transactions and related assertions contain misstatements that could be material to the financial statements.
18
CIA-I
B. Uncertainty of an event occurring that could have an impact on the achievement of objectives. C. Failure to adhere to organizational policies, plans, and procedures, or the failure to comply with relevant laws and regulations. D. Failure to accomplish established objectives and goals for operations or programs.
Answer: B
QUESTION: 53 Which of the following is a common element of any risk framework?
A. Organizational objectives B. Anticipated product losses C. Board of directors' policies D. Delegation of authority
Answer: A
QUESTION: 54 What is residual risk?
A. Impact of risk B. Risk that is under control C. Risk that is not managed D. Underlying risk in the environment
Answer: C
QUESTION: 55 All of the following statements regarding the responsibility for risk management in an organization are true except
A. Risk management is ultimately the responsibility of the board B. Risk management is enhanced through periodic assessment by line management C. Risk management includes the acceptance of residual risk by executive management D. Risk management requires the involvement of the internal audit activity in order to be accepted by the board
Answer: D
19
CIA-I
QUESTION: 56 What is risk management?
A. Identifying and prioritizing risks B. Measuring risks and determining consequences C. Identifying threats to the organization and likelihood of occurrence D. Determining how much risk is acceptable and what action should be taken.
Answer: D
QUESTION: 57 The primary reason that a bank would maintain a separate compliance function is to
A. Better manage perceived high risks B. Strengthen controls over the bank's investments C. Ensure the independence of line and senior management D. Better respond to shareholder expectations
Answer: A
QUESTION: 58 When reviewing operational risk for a department whose manager adopts a laissez-faire style of leadership, it is most important for the internal auditor to verify that
A. Employee decisions follow department and company guidelines B. The manager considers employees' input when designing new procedures C. Employees are empowered to deal with unusual or emergency situations D. Management has adopted an open-door policy to assist with communication
Answer: A
QUESTION: 59 A major corporation is considering significant organizational changes. Which of the following groups would not be responsible for implementing these changes?
A. Employees B. Senior management C. Common stockholders
20
CIA-I
D. Outside consultants
Answer: C QUESTION: 60 In order to effectively handle conflict between audit team members, an audit team leader should
A. Avoid addressing the conflict until the leader is sure that there is a problem. B. Be assertive and keep the team members focused on a resolution. C. Ask one of the team members to resolve the issue by being more conciliatory. D. Transfer one of the team members to another assignment.
Answer: B QUESTION: 61 Which of the following would be the best example of a monitoring control for a chain of restaurants?
A. Each restaurant manager reconciles the cash received with the food orders recorded on the computer B. All food orders must be entered through the computer, and there is segregation of duties between the food servers and the cooks. C. Corporate management prepares a detailed analysis of gross margin per restaurant and investigates those showing a significantly lower gross margin. D. Proof of bank deposit is transmitted to corporate headquarters on a daily basis.
Answer: C
QUESTION: 62 What is the most effective and efficient control to prevent the diversion of office supplies to an employee's residence by entering an alternate delivery location in an electronic data interchange system?
A. Compare the total number of items ordered with the total number of items received at all mail rooms, and investigate shortages. B. Generate a periodic report that lists any orders with delivery destinations other than company mail rooms, and trace to shipping documents. C. Allow only valid mail room location fields to be used, and require changes to the table of valid locations to be approved on-line. D. Instruct the vendor to deliver only to the mail room for the largest location, and have company personnel send supplies to other locations as needed.
21
CIA-I
Answer: C
QUESTION: 63 Which of the following is an example of a corrective control?
A. Bank accounts are reconciled monthly. B. Exception reports are investigated and resolved. C. Employees are directed to obtain additional training each year. D. Invoices are reconciled to receiving reports before payments are authorized.
Answer: B
QUESTION: 64 All of the following would be part of a control system to prevent release of waste water that does not meet discharge standards except
A. Performing chemical analysis of the water, prior to discharge, for components specified in the permit. B. Specifying (by policy, training, and advisory signs) which substances may be disposed of via sinks and floor drains within the facility. C. Periodically flushing sinks and floor drains with a large volume of clean water to ensure that pollutants are sufficiently diluted. D. Establishing a preventive maintenance program for the pretreatment system.
Answer: C
QUESTION: 65 An organization's sales professionals are potentially abusing the use of cellular phones, resulting in an alarming increase in telephone expenses. Which of the following controls is least likely to curb this abuse?
A. Developing periodic reports to management that show type, length, and number of calls per sales professional, with related totals and comparisons. B. Requiring sales professionals to pay monthly cellular phone bills and subsequently submit only business calls for reimbursement using an expense report process. C. Requiring sales managers to approve monthly bills prior to payment, explain budget variances, and explain increases from previous periods. D. Requiring authorization of the cellular phone bill payment by the manager of the telecommunications department.
22
CIA-I
Answer: D
QUESTION: 66 In advance of a preliminary survey, a chief audit executive sends a memorandum and questionnaire to the supervisors of the department to be audited. What is the most likely result of that procedure?
A. It creates apprehension about the audit engagement. B. It involves the engagement client's supervisory personnel in the audit. C. It is an uneconomical approach to obtaining information. D. It is only useful for audits of distant locations.
Answer: B
QUESTION: 67 During the planning phase of an audit of suspected overbilling on contracts for security services, an auditor should perform all of the following except
A. Interviewing an official of the security services company to determine the cause of recent increases in billings for services. B. Interviewing the manager who requested the audit engagement. C. Obtaining a copy of the contract between the two organizations. D. Preparing an engagement program.
Answer: A
QUESTION: 68 When performing benchmarking during the planning phase of a performance audit, an internal auditor should
A. Determine the current performance gap. B. Project future performance levels. C. Develop functional action plans. D. Identify comparative organizations.
Answer: D
QUESTION: 69
23
CIA-I
Which of the following reasons best justifies the time spent coordinating the work of the internal and external auditors? I. Coordination improves overall audit coverage. II. Coordination assures the quality of internal audit work. III. Coordination encourages compliance with the Standards. IV. Coordination minimizes duplication of audit effort.
A. I and II only. B. I and IV only. C. II and III only. D. III and IV only.
Answer: B
QUESTION: 70 An audit to test the system of controls over the purchase, distribution, and use of radioactive material is being conducted at a company's plants. The process is well documented, and employees in the safety department are very familiar with the department's procedures. Since the purchasing and facilities departments are involved in the process, the auditor is considering reviewing their radioactive material-handling procedures as well. The auditor should
A. Have confidence in the rigorous and detailed safety department procedures, since that department has the main responsibility for radiation safety, and should not use audit time to review other departments. B. Adjust the engagement schedule and budget, if needed, and interview the appropriate individuals in the purchasing and facilities departments to ascertain whether additional controls exist that complement those identified within the safety department. C. Test the controls identified within the safety department; if results are unfavorable, the auditor should consider whether to involve the other departments. D. Defer questions regarding purchasing, facilities, and other departments until audit projects can be scheduled for those departments.
Answer: B
QUESTION: 71 According to the International Professional Practices Framework, which of the following would be considered a scope limitation? I. Divisional management indicates that since the division is in the process of converting a major computer system, the information systems portion of the planned audit will have to be postponed until next year. II. The audit committee reviews the audit plan for the year and deletes an audit that the director thought was important to conduct. III. The sales manager indicates that certain customers cannot be contacted because the
24
CIA-I
organization is in the process of negotiating a long-term contract with them.
A. I only. B. II only. C. I and III only. D. II and III only.
Answer: C QUESTION: 72 While researching a topic during a telecommunications audit, an auditor identified a security vulnerability with the entity's revenue accounting system. The accounting system is outside the scope of the current audit engagement. The auditor should
A. Disregard the security vulnerability and address it during the audit of the revenue accounting system. B. Include the revenue accounting system in the scope of the current audit engagement and address the vulnerability in the report. C. Alert management to the identified security vulnerability. D. Develop a solution to the security vulnerability and then inform management.
Answer: C QUESTION: 73 Which statement most accurately describes how criteria are established for use by internal auditors in determining whether goals and objectives have been accomplished?
A. Management is responsible for establishing the criteria. B. Internal auditors should use professional standards or government regulations to establish the criteria. C. The industry in which a company operates establishes criteria for each member company through benchmarks and best practices for that industry. D. Appropriate accounting or auditing standards, including international standards, should be used as the criteria. Answer: A
QUESTION: 74 If an engagement client's operating standards are vague and thus subject to interpretation, the auditor should
A. Seek agreement with the client as to the standards to be used to measure operating performance.
25
CIA-I
B. Determine best practices in the area and use them as the standard. C. Interpret the standards in their strictest sense because standards are otherwise only minimum measures of acceptance. D. Omit any comments on standards and the client's performance in relationship to those standards, because such an analysis would be meaningless.
Answer: A
QUESTION: 75 Which of the following does not describe a skill or knowledge necessary to supervise a particular audit engagement?
A. The ability to review and analyze an engagement program to determine if the proposed audit procedures will result in evidence relevant to the engagement objectives. B. The ability to use risk assessment and other judgmental processes to develop an engagement plan and schedule for the department, and present the plan to the audit committee. C. The ability to assure that an engagement final communication is supported and accurate relative to the evidence documented in the engagement working papers. D. The ability to determine that staff auditors have completed the audit procedures and that engagement objectives have been met.
Answer: B
QUESTION: 76 Which of the following statements regarding an internal auditor's responsibility for detecting fraud is not correct?
A. The auditor should detect fraud if red flags are present. B. The auditor should have sufficient knowledge to correctly identify indicators that fraud may have been committed. C. The auditor should identify control weaknesses which could allow fraud to occur. D. The auditor should evaluate the indicators of fraud sufficiently to determine if a fraud investigation should take place.
Answer: A
QUESTION: 77 A fleet maintenance division uses a different code for each type of inventory transaction. A daily summary report lists activity by part number and transaction code. The report is reconciled by the parts room supervisor to the day's material request forms and is then forwarded to the fleet manager for approval. An auditor is considering an
26
CIA-I
analytical review of transaction codes and materials used. One objective of this review might be to
A. Provide evidence of inventory items that are overstocked. B. Reveal shortages in perpetual inventory records. C. Determine whether inventory items are properly valued. D. Identify possible material lost due to employee theft.
Answer: D QUESTION: 78 While analyzing substantial increases in the cost of goods sold, an auditor for a retail organization notes that payments to certain vendors appear to be unusually high. Which of the following procedures would be least effective in investigating possible kickbacks to purchasing agents?
A. Confirm all contract terms and specifications with vendors. B. Analyze, by purchasing agent, all increases in costs of procured goods from specific vendors. C. Select a statistical sample of goods purchased and compare purchase prices with those of other sources of similar goods. D. Consider any changes in the lifestyles or individual consumption habits of the purchasing agents.
Answer: A
QUESTION: 79 A manufacturer uses a materials requirements planning (MRP) system to track inventory, orders, and raw materials requirements. What condition should an auditor search for in the MRP database if a preliminary assessment indicated that inventory is understated? I. Item cost set at zero. II. Negative quantities on hand. III. Order quantity exceeding requirements. IV. Inventory lead times exceeding delivery schedule.
A. I and II only. B. I and IV only. C. II and IV only. D. III and IV only.
Answer: A
27
CIA-I
QUESTION: 80 During the preliminary survey phase of an audit of the purchasing function, an auditor determines that the procurement policy requires either quotes or formal bids, depending on the amount of the purchase. Which procedure should be performed to determine if fieldwork for policy compliance is necessary?
A. Develop a five-year trend analysis of the purchasing department's expenses. B. Determine the volume of purchase orders processed for the audit period. C. Determine the volume of contracts awarded for the audit period. D. Chart the purchases made for the audit period by type and dollar amount.
Answer: D QUESTION: 81 When the internal audit activity lacks the expertise to perform a specific engagement, the chief audit executive (CAE) should
A. Negotiate with management to remove from the scope any portion of the audit that the staff is unable to perform. B. Use external resources with sufficient expertise to accomplish the engagement. C. Postpone the engagement until the CAE can hire a new internal auditor with the relevant skills. D. Continue with the engagement but rely on management's self-assessment in the areas where the audit staff lacks expertise.
Answer: B
QUESTION: 82 Which of the following risk factors is generally the most important for an internal auditor to consider when planning an assurance engagement for a department?
A. The quality of the department's internal control system. B. The liquidity of the department's assets. C. The results of previous audit engagements for that division. D. The diversification of risk in the industry.
Answer: A
QUESTION: 83 Which of the following describes the activity of trading futures with the objective of reducing or controlling risk?
28
CIA-I
A. Insuring B. Hedging. C. Short-selling. D. Factoring.
Answer: B
QUESTION: 84 Which of the following factors should an internal auditor consider when planning an audit of an activity?
A. The objectives of the activity, the number of employees involved, and the control system. B. The qualifications of management, the significant risks, and the control system. C. The objectives of the activity, the significant risks, and the control system. D. The number of employees involved, the control system, and the recommendations of external auditors.
Answer: C
QUESTION: 85 Which of the following would be of the most assistance to a chief audit executive in prioritizing the annual audit plan?
A. Risk assessment. B. Value-at-risk technique. C. Value-for-money approach. D. Control standards.
Answer: A
QUESTION: 86 A recently appointed chief audit executive (CAE) learns that the audit plan for the upcoming year prepared by the CAE's predecessor has only been reviewed by the audit committee. Which of the following would be the most appropriate action for the CAE to take next in order to gain management support for the audit plan?
A. Send a copy of the entire audit plan to management of the areas to be audited, with specific assigned dates when the engagements will be conducted.
29
CIA-I
B. Meet with management of each area to be audited and explain the purpose and scope of the audit engagement in their area. C. Plan for formal entry meetings and engagement letters at the beginning of each engagement and ensure that management understands all work to be undertaken. D. Proceed with the audit plan because it is already approved.
Answer: B
QUESTION: 87 An internal audit activity that reports both functionally and administratively to the chief financial officer is more likely to
A. Produce business-oriented and relevant findings. B. Have its audit independence questioned. C. Produce fewer audit recommendations. D. Have its recommendations implemented by management.
Answer: B QUESTION: 88 An internal auditor would review prior audit reports when planning an audit engagement in order to I. Identify previously reported problem areas for further follow-up. II. Eliminate previously reviewed areas from further examination. III. Gain an understanding of the audited area's business processes and control activities. IV. Understand the concerns or requests of management.
A. II only. B. I and III only. C. I and IV only. D. II and III only. Answer: B QUESTION: 89 Which of the following best describes the internal audit activity's role in supporting the board in enterprise-wide risk assessment?
A. Ensure that sound risk management processes are in place and functioning. B. Oversee risk management processes to determine if they are adequate and effective. C. Examine, evaluate, report on, and recommend improvements on the adequacy and effectiveness of risk processes. D. Implement risk management methodologies and controls to address risks identified.
30
CIA-I
Answer: C QUESTION: 90 Which of the following is the least appropriate action for an internal auditor to take in support of an organization's ethical culture?
A. Assess the state of the ethical climate. B. Provide guidance to employees regarding ethical dilemmas. C. Evaluate the effectiveness of the organization's code of conduct. D. Determine the appropriateness of expected ethical attitudes and behaviors.
Answer: B
QUESTION: 91 Which of the following should an internal audit activity take into consideration when evaluating an organization's privacy framework? I. Types of information gathered by the organization. II. Methods used to collect and store information. III. Location and custody of key information. IV. Intended use of information that is collected and stored.
A. I and III only. B. I, II, and IV only. C. II, III, and IV only. D. I, II, III, and IV.
Answer: D
QUESTION: 92 In addition to risk materiality, which of the following should be considered during the process of ranking and validating an organization's risk priorities?
A. Possible financial loss. B. Competency of internal audit staff. C. Likelihood of risk occurrence. D. Liquidity of assets.
Answer: C
QUESTION: 93
31
CIA-I
According to the International Professional Practices Framework, which of the following criteria should be used to evaluate an organization's governance process?
A. Risk, control activities, information, and monitoring. B. Strategies, policies, procedures, and operations. C. Values, goals, monitoring, and accountability. D. Regulations, rules, laws, and systems.
Answer: C
QUESTION: 94 An annual audit plan would be the primary method of identifying the internal audit activity's
A. Authority. B. Resource needs. C. Reporting requirements. D. Independence.
Answer: B
QUESTION: 95 An organization's decision to outsource its computer systems support is an example of which of the following risk responses?
A. Risk acceptance. B. Risk sharing. C. Risk avoidance. D. Risk reduction.
Answer: B
QUESTION: 96 An organization automatically compares the total number of transactions processed and passed from its online order-entry system to the number of transactions received in its billing system and calculates variances. This is an example of which of the following information technology controls?
A. Logic test. B. Check digits.
32
CIA-I
C. Data reasonableness tests. D. Balancing control activities.
Answer: D
QUESTION: 97 According to the Standards, which of the following should be defined in the internal audit charter? I. The internal audit activity's position within the organization. II. The audit activities to be performed during the upcoming year. III. The scope of internal audit activities. IV. Management and the board of directors' agreement regarding the roles and responsibilities of the internal audit activity.
A. I and IV only. B. II and III only. C. I, III, and IV only. D. I, II, III, and IV.
Answer: C
QUESTION: 98 Which of the following would not compromise an internal auditor's objectivity?
A. Preparing bank reconciliations. B. Reviewing procedures before they are implemented. C. Auditing an activity for which the auditor had responsibility in the past year. D. Providing both advisory services and audit services for a project.
Answer: B QUESTION: 99 The most important reason for the chief audit executive to ensure that the internal audit department has adequate and sufficient resources is to
A. Ensure that the function is adequately protected from outsourcing. B. Demonstrate sufficient capability to meet the audit plan requirements. C. Establish credibility with the audit committee and management. D. Fulfill the need for effective succession planning.
Answer: B
33
CIA-I
QUESTION: 100 If a department outside of the internal audit activity is responsible for reviewing a function or process, the internal auditors should
A. Consider the work of the other department when assessing the function or process. B. Not consider the work of the other department and proceed with an independent audit. C. Reduce the scope of any audit of the function or process because a review has already been performed by the other department. D. Delegate the responsibility for assessing the function or process to the other department.
Answer: A
QUESTION: 101 Which statement is not true regarding the performance management process?
A. Staff specialists own the process in order to ensure implementation and accountability. B. Subordinates and superiors have shared responsibility for managing the process. C. Performance management is linked to competence and knowledge management. D. Performance management is integrated into other organizational and human resource processes.
Answer: A
QUESTION: 102 Which of the following environments is most likely to help prevent fraud within an organization? I. Realistic organizational goals and objectives have been set. II. Legal counsel is available for consultation on a timely basis. III. Procedures exist to investigate fraud when it is identified. IV. A well-designed control system exists.
A. I and II only. B. I and IV only. C. II and III only. D. III and IV only.
Answer: B
34
CIA-I
QUESTION: 103 Which of the following is an objective of internal control?
A. Reconciliation. B. Accuracy. C. Segregation of duties. D. Authorization.
Answer: B
QUESTION: 104 An internal audit activity encounters a scope limitation from senior management that will affect its ability to meet its goals and objectives for a potential engagement client. The nature of the scope limitation should be
A. Noted in the audit workpapers, but the engagement should be carried out as scheduled, with any necessary adjustments made based on the scope limitation. B. Communicated to the external auditors so that they can investigate the area in more detail. C. Communicated, preferably in writing, to the board. D. Communicated to management, stating that the limitation will not be accepted because it would impair the audit activity's independence.
Answer: C
QUESTION: 105 Which of the following situations allows for the most objectivity on the part of an internal auditor?
A. Assessing testing procedures in a new computer system. B. Performing a risk assessment of a new financial instrument. C. Drawing conclusions from a sample of financial transactions. D. Comparing current environmental activities against legislation.
Answer: D
QUESTION: 106 After several years in the engineering department, an engineer was transferred to the internal audit department. One month later, the new auditor was assigned to an
35
CIA-I
assurance engagement for the engineering department. When the auditor's former engineering supervisor suggested a change in the sample selection method, the auditor consulted with the audit supervisor. They determined that the suggested method would not be as representative and that the original selection method should be used. In this situation, the auditor
A. Maintained an independent mental attitude and is therefore objective. B. Has subordinated professional judgment, and objectivity is therefore impaired. C. Does not have objectivity since the auditor recently transferred from the engineering department. D. Does not have independent organizational status since the auditor recently transferred from the engineering department.
Answer: C
QUESTION: 107 To assure that the technical proficiency of internal auditors is appropriate for the audit engagements to be performed, a chief audit executive should
A. Consider the scope of work and level of responsibility when establishing criteria for education and experience in filling internal auditing positions. B. Ensure that each newly hired auditor is qualified in all of the disciplines needed to accomplish the department's audit mission. C. Oversee a training program that matches the actual training provided with the interests of individual auditors. D. Require all of the audit staff to pursue a minimum number of Continuing Professional Education hours each year.
Answer: A QUESTION: 108 In order to exercise due professional care as defined in the International Professional Practices Framework, an internal auditor should I. Consider the probability of significant noncompliance in each audit engagement. II. Perform assurance procedures with sufficient care to ensure that all risks are identified. III. Weigh the cost of assurance against the benefits. A. I and II only. B. I and III only. C. II and III only. D. I, II, and III.
Answer: B
36
CIA-I
QUESTION: 109 An internal auditor audited a department store's cash function. Which of the following actions would indicate a lack of due professional care by the auditor?
A. Based on a well-designed system of internal controls over the cash function, the audit report assured senior management that no irregularities existed. B. A flowchart of the entire cash function was developed but only samples of transactions were tested. C. The audit report included a well-supported recommendation for a reduction in staff even though such a reduction might adversely impact morale. D. The auditor informed appropriate authorities within the organization about suspected wrongdoing but did not inform external authorities.
Answer: A
QUESTION: 110 In order to save time, an audit manager no longer required that a standard internal control questionnaire be completed for each audit engagement. Does this represent a violation of the Standards?
A. Yes, because internal control should be evaluated on every engagement and the internal control questionnaire is the mandated approach to evaluate controls. B. Yes, because internal control should be evaluated on every engagement and the internal control questionnaire is the most efficient method to do so. C. No, because auditors may omit necessary procedures if there is a time constraint, based on audit judgment. D. No, because auditors are not required to complete internal control questionnaires on every engagement.
Answer: D
QUESTION: 111 The chief commodity trader for a large energy company learns from a friend that a competitor will likely fail its upcoming regulatory audit and will be forced to temporarily decrease production. If the information is true, the trader has short-term opportunities to make trades that will financially benefit the trader's company and will lead to a substantial increase in the trader's performance bonus. However, if the information is not true, making the trades will significantly increase the company's risk of being caught in a long position. From an ethical perspective, which of the following would be the most appropriate course of action for the trader to take?
37
CIA-I
A. Make the trade because the company and the trader will both benefit. B. Have another trader on staff make the trade in order to avoid a conflict of interest. C. Disclose the information to the risk oversight committee but proceed with the trade to capitalize on the opportunity. D. Defer the decision to management and risk the loss of the trading opportunity.
Answer: D
QUESTION: 112 An internal auditor pays to participate in the company's annual golf tournament, which is held outside of normal business hours. The auditor wins the putting contest and is awarded an all-expense-paid weekend vacation. According to the IIA Code of Ethics regarding objectivity, the auditor's best course of action would be to
A. Refuse the prize because the amount is significant. B. Accept the prize because the event was held outside of normal business hours. C. Refuse the prize because it represents an impairment to objectivity. D. Accept the prize because the auditor received no special treatment.
Answer: D QUESTION: 113 Risk assessments are valuable to the internal audit activity's planning process because they assist in
A. Eliminating all areas with low risk from the audit plan. B. Educating management on the importance of keeping the internal audit activity informed of organizational changes. C. Identifying the audit universe or auditable activities that need to be reviewed. D. Identifying risks that management and the internal auditors have overlooked.
Answer: C QUESTION: 114 Which of the following audit activities is within the scope of assurance activities as stated in the International Professional Practices Framework?
A. Review a make-or-buy decision and report a recommendation to management for approval. B. Participate in negotiations for a corporate acquisition. C. Assess financing alternatives for a new generator. D. Perform an evaluation of management's planning process.
38
CIA-I
Answer: C
QUESTION: 115 Which of the following would be the most useful in developing an annual audit plan?
A. General purpose audit software. B. Voting software and hardware. C. Flowcharting and data capture software. D. Risk assessment software.
Answer: D
QUESTION: 116 Which of the following is true with respect to the risk assessment process?
A. The ethical climate should not be included since this factor cannot be measured quantitatively. B. More than one risk factor may have to be used to ensure that the risk assessment is comprehensive. C. Each risk factor should be given equal weighting in order to reduce the opportunity for bias. D. The risk assessment process should be conducted at least every three years.
Answer: B
QUESTION: 117 A quantitative risk assessment model has all of the following advantages except
A. Accommodating a large number of risk factors in the assessment. B. Providing documentation for the chief audit executive, who must defend the longrange audit plan. C. Providing a systematic method of applying weightings to risks and priorities. D. Removing the need for judgment on the part of the chief audit executive.
Answer: D
QUESTION: 118 Which of the following statements is correct regarding risk analysis?
39
CIA-I
A. The extent to which management judgments are required in an area could serve as a risk factor in assisting the auditor in making a comparative risk analysis. B. The highest risk assessment should always be assigned to the area with the largest potential loss. C. The highest risk assessment should always be assigned to the area with the highest probability of occurrence. D. Risk analysis must be reduced to quantitative terms in order to provide meaningful comparisons across an organization.
Answer: A QUESTION: 119 Which of the following is the primary concern of an internal auditor in a comprehensive audit of an organization?
A. Accuracy of reports on the source and use of funds. B. Extent of achievement of the organization's mission. C. Confirmation of compliance with policies and procedures. D. Appropriateness of procedures related to the budgeting process.
Answer: B
QUESTION: 120 Management should be included in the development of the audit plan in order to
A. Provide assurance that past audit recommendations have been properly implemented. B. Select the audit tests that will be used for each engagement. C. Verify that the highest risks are included in the risk-based audit plan. D. Guarantee access to the organization's sites and records for audit work.
Answer: C QUESTION: 121 When developing the annual audit plan and reviewing risk assessment priorities, a chief audit executive should always identify the
A. Potential recommendations for each auditable activity. B. Persons to whom engagement reports will be communicated. C. Engagement procedures to be used during the engagements. D. Internal audit resources required to achieve the audit plan.
40
CIA-I
Answer: D
QUESTION: 122 Overall audit efficiency is enhanced between the internal and external audit functions when
A. Internal audit coverage is reduced to avoid potential conflicts of interest. B. Audits of the same department are conducted at different times. C. The internal audit department reviews functions or departments prior to the external audit. D. External audit scope is reduced based on the internal audit department's activities.
Answer: D QUESTION: 123 A chief audit executive (CAE) is obtaining information required by a regulatory oversight body and discovers a situation that requires management to take immediate corrective action. What is the best course of action for the CAE to take?
A. Wait until all of the information has been gathered and reported to the oversight body before reporting the situation to management. B. Check with legal counsel to determine whether the situation can be reported to management before all information has been submitted to the oversight body. C. Report the situation to management immediately. D. Schedule an engagement to explore the situation in depth, before reporting to either management or the oversight body.
Answer: C QUESTION: 124 Which of the following should be included in the internal audit activity's annual plan?
A. Degree of testing that will be required to achieve the plan's objectives. B. Scope of internal audit work and any limitations placed on that scope. C. Details of preliminary surveys to be carried out before each engagement. D. Procedures that will be used to conduct each planned engagement.
Answer: B QUESTION: 125
41
CIA-I
A chief audit executive (CAE) believes that senior management has accepted a level of residual risk that is unacceptable to the organization. According to the Standards, the CAE must first discuss the matter with the organization's
A. Senior management. B. Audit committee. C. External auditors. D. Board.
Answer: A QUESTION: 126 A chief audit executive (CAE) has learned that a system currently being installed in the CAE's organization is identical to one that suffered a catastrophic failure in another organization. The CAE should
A. Disregard the issue because there has been no audit work undertaken or any type of reliable information provided. B. Notify senior management and request that the installation be halted. C. Add the issue to the annual audit plan and schedule an engagement when time is available. D. Investigate the issue further even though there is no provision in the audit plan for this work.
Answer: D
QUESTION: 127 Assessments of the independence of an organization's external auditors should I. Be carried out only when the external auditor is appointed. II. Be carried out when the external auditor is appointed and regularly thereafter. III. Not include any participation by the internal audit activity. IV. Include participation by the internal audit activity.
A. I and III only. B. I and IV only. C. II and III only. D. II and IV only.
Answer: D
QUESTION: 128
42
CIA-I
Which of the following is the most important limitation on the effectiveness of audit committees?
A. Audit committees may be composed of independent directors; however, those directors may have close personal and professional friendships with management. B. Audit committee members are compensated by the organization and thus favor a stockholder view. C. Audit committees devote most of their efforts to external audit concerns and do not pay much attention to internal auditing and the overall control environment. D. Audit committee members do not normally have degrees in the accounting or auditing fields.
Answer: A QUESTION: 129 Which of the following management actions would be most effective in order to strengthen ethical awareness within an organization? A. Require employees to certify that they have read and understand the organization's code of conduct. B. Ensure that all employees pass a criminal background check prior to being hired. C. Mandate that employees follow documented departmental procedures and processes. D. Request that the internal audit activity test departments with a higher risk of employee fraud.
Answer: A QUESTION: 130 An internal auditor has been asked to review the treasury department's compliance with corporate policy related to the use of forward trading to manage currency valuation risk. The auditor finds no related policies in the corporate policy manual but does discover that the department is following a policy developed by the company's bank. The most appropriate response from the auditor would be to
A. Withdraw from the audit engagement because there is nothing to audit due to the lack of a corporate policy. B. Perform no further audit work and report the lack of a corporate policy as an audit observation. C. Postpone the audit engagement until a corporate policy can be established. D. Use the bank's policy as the audit criteria and determine whether formal adoption should be recommended in the engagement final communication.
Answer: D
43
CIA-I
QUESTION: 131 During an audit engagement, an internal auditor finds that management is not complying with previous commitments made to the external auditors. However, the auditor determines management's actions to be justified due to significant changes in the business. The best course of action for the auditor to take would be to
A. Proceed with the audit engagement and assess the changes actually implemented by management. B. Inform the external auditors and seek their guidance. C. Inform the external auditors and remove the associated work from the internal audit scope. D. Compare the recommended changes against the changes made by management and advise management which action to take.
Answer: A
QUESTION: 132 Which of the following actions taken by management would most likely improve an organization's moral climate?
A. Making changes in organizational policies. B. Promoting changes in employee attitudes. C. Evaluating the organization's moral climate. D. Modeling appropriate behavior in the workplace.
Answer: D
QUESTION: 133 In addition to data protection, which of the following is a control that is typically used by companies to safeguard the privacy rights of their customers? I. End-user computing. II. Encryption of data. III. Spyware. IV. Intrusion detection.
A. II only. B. I and III only. C. II and IV only. D. I, II, and IV only.
Answer: C
44
CIA-I
QUESTION: 134 When reviewing the information security in an organization, an internal auditor should always recommend to management the strongest security system that is compatible with the organization's
A. Willingness to incur security costs. B. Business practices and risk factors. C. Existing technical and staff competencies. D. Understanding of security weaknesses.
Answer: B
QUESTION: 135 Which of the following best describes the procedures used by the representatives of an organization's stakeholders to provide oversight of the processes administered by management?
A. Governance. B. Control. C. Risk management. D. Monitoring.
Answer: A
QUESTION: 136 Which of the following statements regarding organizational governance is not correct?
A. An effective internal audit function is one of the four cornerstones of good governance. B. Those performing governance activities are accountable to the customer. C. Accountability is one of the key elements of organizational governance. D. Governance principles and the need for an internal audit function are applicable to governmental and not-for-profit activities. Answer: B
QUESTION: 137 Why is the concept of residual risk important?
45
CIA-I
A. Because residual risk is difficult to measure. B. Because residual risk is all of the risk that remains after controls are established. C. Because the cost-benefit analysis supporting control design is part of the measure of residual risk. D. Because the risk that remains after control design and implementation needs to be acceptable to senior management.
Answer: D
QUESTION: 138 A major difference between enterprise risk management and traditional risk management lies in the narrow focus of traditional risk management on I. Property and liability risks. II. Risks with insurance solutions. III. Risks impacting organizational objectives.
A. I and II only. B. I and III only. C. II and III only. D. I, II, and III.
Answer: A
QUESTION: 139 When an external auditor unknowingly fails to modify an opinion on financial statements that are materially misstated, this is an example of
A. An inherent risk. B. A control risk. C. An audit risk. D. A residual risk.
Answer: C
QUESTION: 140 In the annual audit of the financial statements of a company with high inherent risk and a very strong control system, the external auditor may be able to allow detection risk to rise because
A. Audit risk has been reduced. B. Control risk has been assessed at a lower level.
46
CIA-I
C. The company's operations are very susceptible to misstatements. D. Whenever inherent risk is high, control risk is disregarded.
Answer: B
QUESTION: 141 The first stage in the development of a crisis management program is to
A. Formulate contingency plans. B. Conduct a risk analysis. C. Create a crisis management team. D. Practice the response to a crisis.
Answer: B QUESTION: 142 Organizations that use a highly structured command-and-control management approach are at greater risk of
A. Delayed response due to the inability to reach consensus among decision makers. B. Negative consequences that result from lower-level staff's unwillingness to confront errors by superiors. C. Erosion of staff morale due to perceptions of ineffective leadership. D. Waste and abuse of organizational resources resulting from management override of controls.
Answer: B
QUESTION: 143 Of the following reasons for employees to resist a major change in organizational processes, which is least likely?
A. Threat of job loss. B. Required attendance at training classes. C. Breakup of existing work groups. D. Imposition of new processes by senior management without prior discussion.
Answer: B
QUESTION: 144
47
CIA-I
When significant change is required, management is least likely to be able to change the organization's
A. Members. B. Structure. C. Environment. D. Technology.
Answer: C
QUESTION: 145 Which of the following is not an appropriate control related to sales in a manufacturing company?
A. Customers' orders are recorded promptly. B. Goods shipped are matched with valid customer orders. C. Goods returned are inspected for damage by the sales department and then entered into inventory. D. Credit department approval is required for credit sales transactions.
Answer: C
QUESTION: 146 The percentage of orders that are rush orders and the percentage of returns to total orders are examples of which of the following types of control activities?
A. Quality control monitoring. B. Direct functional management. C. Benchmarking. D. Performance indicators.
Answer: D
QUESTION: 147 The best reason for separating the cash-receiving function from the related recordkeeping function is to
A. Segregate cash payments from cash receipts. B. Provide accountability for cash received.
48
CIA-I
C. Minimize misappropriations in cash receipts. D. Improve physical security over the cash-receiving function.
Answer: C
QUESTION: 148 Which of the following would be the least effective in preventing purchasing agents from taking kickbacks or gifts from vendors in exchange for favorable contracts?
A. A specific corporate policy prohibiting the acceptance of anything of value from a vendor. B. A corporate code of ethics prohibiting any activity that might impair objectivity. C. A requirement for purchasing agents to develop a company profile of each new vendor before it is added to the authorized vendor list. D. The establishment of long-term contracts with major vendors, with the contract terms approved by senior management.
Answer: C
QUESTION: 149 Which of the following lists the audit activities in the order in which they would generally be completed during a preliminary survey? I. Write detailed audit procedures. II. Identify client objectives, goals, and standards. III. Identify risks and controls intended to prevent associated losses. IV. Determine relevant engagement objectives.
A. II, I, IV, III. B. II, III, IV, I. C. III, IV, II, I. D. II, IV, I, III.
Answer: B QUESTION: 150 An audit of the quality control department is being planned. Which of the following would least likely be used in the preparation of a preliminary survey questionnaire?
A. An analysis of quality control documents. B. The permanent audit file. C. The prior audit report. D. Management's charter for the quality control department.
49
CIA-I
Answer: A QUESTION: 151 An objective for an audit of a medical research corporation is to evaluate management's controls to ensure that timely reports are submitted to sponsors of contracted research projects. In planning the audit to achieve this objective, the auditor should begin by
A. Reviewing policies and procedures. B. Interviewing a group of research managers. C. Observing report preparation in a number of laboratories. D. Sending a questionnaire to a sample of research sponsors.
Answer: A
QUESTION: 152 Which of the following internal control weaknesses would an auditor most likely detect while reviewing a flowchart that depicts the purchasing function of an organization?
A. Purchasing policies have not been updated. B. The organization is not taking advantage of quantity discounts available from its suppliers. C. Payments for goods received have not been authorized at the appropriate level. D. Payments to suppliers are made before goods are received.
Answer: D QUESTION: 153 Inadequate risk assessment would have the strongest negative impact in which of the following phases of an audit engagement?
A. Determining the scope. B. Reviewing internal controls. C. Testing. D. Evaluating findings.
Answer: A
QUESTION: 154
50
CIA-I
An organization has a policy requiring two signatures on all checks written for amounts in excess of $10,000. When evaluating controls over disbursements, an auditor would conclude that a greater risk exists if
A. The auditor located two checks for $9,000 each that contained one authorized signature. B. The $10,000 was an immaterial amount to the organization and very few cash disbursements required an amount in excess of $10,000. C. The director of accounting was not one of the authorized signers. D. There were several instances in which successively numbered checks for amounts between $5,000 and $10,000 were made payable to the same vendor.
Answer: D
QUESTION: 155 Which of the following corporate travel policies is least likely to be cost-effective?
A. Negotiating corporate agreements with hotels, airlines, and car rental firms. B. Tracking credits for canceled airline reservations. C. Selecting the least expensive airline travel available, without regard to total travel time and distance. D. Traveling to facilities in tourist areas during the off-season when possible.
Answer: C
QUESTION: 156 Which of the following is a control weakness that allows for the greatest probability of fraud?
A. The log-on accounts for the computerized information management system are not immediately canceled for terminated employees. B. Scheduled physical counts to verify the perpetual inventory system are frequently delayed because of staff shortages and conflicting priorities. C. An employee is responsible for entering identifying information into the inventory database whenever supplies are delivered. A manager periodically compares inventory records with supplies on hand. D. The employee who handles all cash sales has responsibility for balancing the cash register and making bank deposits.
Answer: D
51
CIA-I
QUESTION: 157 In a manufacturing organization, all sales prices are determined centrally and are electronically sent to the distribution centers to update their sales price tables. Any pricing deviations must be approved by central headquarters. To determine how this process is functioning, an internal auditor should
A. Document the flow of sales price information, and determine how the table is accessed and updated. B. Develop a flowchart of the sales order process to determine how orders are taken and priced. C. Identify who approves the shipment of goods and how the goods are priced. D. Obtain a copy of the existing flowchart for the computer program to determine how price data are accessed. Answer: A QUESTION: 158 To determine if a new computer system is improving the use of a manufacturer's limited facilities in serving the largest number of customers, an auditor should compare
A. The number of reworked orders and their costs before and after system installation. B. Inventory and materials handling costs before and after system installation. C. The number of orders filled and their cycle times before and after system installation. D. The number of reworked orders and orders filled before and after system installation.
Answer: C
QUESTION: 159 A retail store uses a computerized perpetual inventory system with annual physical counts. The best approach for determining whether item counts in the perpetual inventory records are accurate at interim dates is to use generalized audit software to
A. Generate stratified random samples of items for manual counting and compare counts to perpetual inventory records. B. Compare beginning and ending perpetual inventory counts after adjustment for sales and replenishments. C. Compute revised item count values by adjusting existing counts for spoilage and shrinkage. D. Simulate inventory transactions between physical inventory counts taken annually.
Answer: A
52
CIA-I
QUESTION: 160 Which of the following best describes the most important criteria when assigning responsibility for specific tasks required in an audit engagement?
A. Auditors must be given assignments based primarily upon their years of experience. B. All auditors assigned an audit task must have the knowledge and skills necessary to complete the task satisfactorily. C. Tasks must be assigned to the audit team member who is most qualified to perform them. D. All audit team members must have the skills necessary to satisfactorily complete any task that will be required in the audit engagement.
Answer: B QUESTION: 161 Auditors 1, 2, and 3 work out of various offices. Each must be assigned to one, and only one, of three audit locations (A, B, or C). The cost of sending each auditor to each location is listed below Audit Locations Auditor 1 Auditor 2 Auditor 3 A $200 $400 $200 B $300 $300 $200 C $400 $600 $500 The minimum cost with which this assignment can be accomplished is
A. $800 B. $900 C. $1,000 D. $1,100 Answer: B QUESTION: 162 In developing an appropriate work program for an audit engagement, the most important factor for an audit supervisor to consider is the
A. Availability of records and data. B. Potential impact of risks. C. Capabilities of audit personnel. D. Time required to complete the engagement.
Answer: B QUESTION: 163 Which of the following would an internal auditor consider when developing engagement objectives? I. Estimated time to complete the engagement. II. Probability of significant errors. III. Risks, controls, and governance processes.
53
CIA-I
IV. Budgeted cost and resource requirements.
A. II only. B. I and IV only. C. I and III only. D. I, III, and IV only.
Answer: C
QUESTION: 164 Coordination between the internal auditors and the external auditors tends to
A. Increase risks due to potential communication issues arising from internal auditors' allegiance to the company. B. Decrease risks due to the internal auditors' knowledge of the company and industry. C. Increase risks due to differing views on the nature and adequacy of internal controls. D. Decrease risks by using internal auditors to perform low-level external audit testing.
Answer: B
QUESTION: 165 A manufacturer of very expensive precision optical equipment has experienced a significant increase in production costs over the past three months. The plant manager has demanded an immediate audit to identify the cause of the increases. Which of the following is true regarding this request?
A. The chief audit executive (CAE) may accept the request but is not obligated to act upon it. B. The CAE should decline the request because the plant manager is not authorized to make audit requests. C. According to the Standards, only audits approved by the audit committee may be performed. D. Accepting the request would jeopardize the integrity of the existing audit plan.
Answer: A
QUESTION: 166 In which order should an environmental auditor audit the following manufacturing plants? Factor Hazard rating Prior audit results Plant population Plant 1 Medium Average Small
54
CIA-I
Plant 2 High Plant 3 Low
Poor Good
Medium Large
A. 1, 2, 3. B. 1, 3, 2. C. 2, 1, 3. D. 2, 3, 1.
Answer: C
QUESTION: 167 A large financial services firm has a formal privacy policy and recently hired a chief privacy officer. Since the new chief privacy officer has taken over, risk assessments have been performed, priorities have been established, and resources have been allocated to ensure that effective and consistent privacy controls could be implemented and maintained throughout the company. Based on the Capability Maturity Model (CMM), what level of maturity has the firm reached regarding its privacy strategy?
A. Defined. B. Managed. C. Repeatable. D. Optimized.
Answer: A QUESTION: 168 Which of the following is an appropriate management strategy for supporting an organization's code of conduct? I. Offering training opportunities for all employees on ethics topics. II. Surveying employees, suppliers, and customers regarding compliance. III. Using case studies and examples of appropriate and inappropriate behaviors. IV. Establishing clear delineation of responsibilities throughout the organization.
A. II and IV only. B. I, II, and III only. C. I, III, and IV only. D. I, II, III, and IV.
Answer: D
QUESTION: 169 Which of the following factors should internal auditors consider when planning an audit
55
CIA-I
engagement? I. The extent of documentation required to complete the engagement. II. Objectives of the area to be reviewed and how activities are controlled. III. Significant risks, resources, and operations. IV. Scope and degree of testing required to achieve the engagement's objectives.
A. I and IV only. B. I, II, and III only. C. II, III, and IV only. D. I, II, III, and IV.
Answer: C
QUESTION: 170 A chief audit executive (CAE) decides to implement a quality assurance and improvement program for the internal audit department but encounters some resistance from internal audit staff concerning how the program should be monitored. Internal audit staff would prefer that all monitoring be performed through supervision during an audit engagement. The CAE needs to include in the monitoring program periodic quality assessments by staff independent from the audit engagement. How should the CAE promote the quality assessment concept?
A. Encourage all internal audit staff to see the independent quality assessments as part of a process to continuously improve the internal audit department's performance. B. Explain that independent quality assessments will identify those staff whose performance does not meet the requirements of the internal audit department. C. Arrange for internal audit staff to be given appropriate training in all audit engagement procedures. D. Tell internal audit staff that the only purpose of the independent quality assessments is to ensure that errors are corrected quickly before reports are issued.
Answer: A
QUESTION: 171 According to the Standards, results of the internal audit activity's internal and external quality program assessments must be communicated to the board or governing body in order to
A. Provide accountability and transparency in the management and supervision of internal audit work. B. Ensure that action is taken by internal audit staff to correct all quality nonconformances in internal audit work.
56
CIA-I
C. Motivate internal audit staff to conform with all quality systems used in their internal audit work. D. Demonstrate that all internal audit staff have been instructed in the importance of quality in internal audit work.
Answer: A QUESTION: 172 In promoting quality assurance and improvement of the internal audit activity, which of the following would be considered a component of ongoing assessment? I. Supervision. II. Feedback from audit customers. III. Analysis of performance measures. IV. Comparison of budgeted to actual audit hours.
A. I and III only. B. II and IV only. C. I, III, and IV only. D. I, II, III, and IV.
Answer: D
QUESTION: 173 Which of the following is a recognized scheme for procurement fraud? I. Change-order abuse. II. Collusive bidding by contractors. III. Collateral financing.
A. I only. B. I and II only. C. II and III only. D. I, II, and III.
Answer: B
QUESTION: 174 The decision to implement enhanced failure detection and back-up systems to improve data integrity is an example of which risk response?
A. Risk acceptance. B. Risk sharing. C. Risk avoidance.
57
CIA-I
D. Risk reduction.
Answer: D
QUESTION: 175 In selecting assurance engagements that are consistent with an organization's goals, the chief audit executive would most likely give highest priority to
A. Results of prior audits in potential engagement areas. B. Opportunities to achieve operating benefits. C. Requests by senior management. D. Assessments of risk and effectiveness of risk management.
Answer: D
QUESTION: 176 Conflict triggers include all of the following except
A. Unclear job boundaries. B. Unrealized expectations. C. Status differentials. D. Superordinate goals.
Answer: D
QUESTION: 177 The use of pre-employment background checks is what type of control?
A. Preventive. B. Detective. C. Corrective. D. Directive.
Answer: A
QUESTION: 178 According to the Standards, which of the following should be addressed as a planning consideration?
58
CIA-I
A. Safeguarding of assets in the activity being audited. B. Compliance of operations with policies, plans, procedures, laws, and regulations. C. Accomplishment of established objectives and goals for operations and programs. D. Objectives of the activity being audited.
Answer: D
QUESTION: 179 According to the International Professional Practices Framework, which of the following is an acceptable method of Continuing Professional Education? I. Attending college courses. II. Attending conferences and seminars. III. Joining and participating in professional societies. IV. Participating in research projects.
A. I and III only. B. II and IV only. C. I, II, and III only. D. I, II, III, and IV.
Answer: D
QUESTION: 180 An internal auditor who is working at a company without an enterprise-wide risk management process should
A. Discuss the need for a risk management process with management. B. Create and implement an audit risk assessment process as a substitute. C. Develop a risk management process for use by the board. D. Notify the external auditors of the lack of a risk management process.
Answer: A
QUESTION: 181 According to the International Professional Practices Framework, the most complete definition of controls is
A. Processes and procedures that are designed to ensure that all transactions are properly authorized and accounted for. B. Policies and practices designed to ensure that assets are properly protected and that
59
CIA-I
operating and financial records have integrity. C. Actions taken by management to manage risk and increase the likelihood that established objectives and goals will be met. D. A management-designed accounting system and related procedures.
Answer: C
QUESTION: 182 During a meeting of an internal audit team, two members of the team disagree, and one accuses the other of trying to advance personal interests over the interests of the audit. The audit manager should
A. Discipline both auditors after the meeting for their lack of professional conduct. B. Continue the meeting but speak to the accusing auditor later regarding the inappropriate conduct. C. Meet with both auditors after the meeting to resolve the conflict and the inappropriate behavior. D. Stop the meeting and refer the matter to the entire team for discussion.
Answer: C QUESTION: 183 In order to ensure that the internal auditors have the objectivity required by the Standards, the chief audit executive should
A. Demonstrate willingness to include in engagement final communications all matters believed to be important. B. Require all auditors to sign statements attesting to their independent mental attitudes and honest belief in their work product. C. Carefully assign personnel to individual audit engagements and require auditors to disclose all conflicts of interest. D. Appraise each auditor's performance on each audit assignment.
Answer: C
QUESTION: 184 It would be appropriate for an internal audit activity to use consultants with expertise in health-care benefits when the internal audit activity is I. Conducting an audit of the organization's estimate of its liability for post retirement benefits, which include health care benefits. II. Comparing the cost of the organization's health care program with that of other programs offered in the industry. III. Training its staff to conduct an audit of health care costs in a major division of the
60
CIA-I
organization.
A. I only. B. I and III only. C. II and III only. D. I, II, and III.
Answer: D QUESTION: 185 Which of the following actions would be considered a violation of the Standards? I. Drafts of engagement communications were reviewed with the audit client to obtain input. The client's comments were considered when developing the engagement final communication. II. An auditor participated as part of a development team to review the control procedures to be incorporated into a major computer application under development. III. Given limited resources, the chief audit executive performed a risk analysis to determine which functions to audit.
A. II only. B. I and III only. C. I, II, and III. D. None of the above.
Answer: D
QUESTION: 186 In an assurance engagement of treasury operations, an internal auditor is required to consider all of the following issues except
A. The audit committee has requested assurance on the treasury department's compliance with a new policy on the use of financial instruments. B. Treasury management has not instituted any risk management policies. C. Due to the recent sale of a division, the amount of cash and marketable securities managed by the treasury department has increased by 350 percent. D. The external auditors have indicated some difficulties in obtaining account confirmations.
Answer: D
QUESTION: 187
61
CIA-I
Internal auditors exercise judgment about the type and amount of information to be collected. The primary purpose of this judgment is to A. Eliminate the risk of drawing incorrect conclusions. B. Minimize the cost of the audit engagement. C. Comply with the Standards. D. Provide a sound basis for audit observations and recommendations.
Answer: D
QUESTION: 188 According to the International Professional Practices Framework, a review team must express an opinion on which of the following when performing an external assessment of an internal audit activity? I. Conformance with the Standards and Code of Ethics. II. Effectiveness of continuous improvement activities. III. Feedback from internal audit customers and other stakeholder groups. IV. Efficiency and effectiveness of the internal audit activity's administration processes.
A. I only. B. III only. C. I and II only. D. II and IV only.
Answer: A
QUESTION: 189 When planning the work program for an assurance engagement, an internal auditor should first review the department's business objectives and then
A. Identify risks. B. Review controls. C. Determine scope. D. Evaluate vulnerabilities.
Answer: A
QUESTION: 190 When a risk assessment process has been used to construct an audit engagement schedule, which of the following should receive attention first?
62
CIA-I
A. The external auditors have requested assistance for their upcoming annual audit. B. A new accounts payable system is currently undergoing testing by the information technology department. C. Management has requested an investigation of possible lapping in receivables. D. The existing accounts payable system has not been audited over the past year.
Answer: C
QUESTION: 191 Which of the following risk factors is most subjective?
A. Changes in staff, systems, or the environment. B. Prior audit findings. C. Size of the unit being audited. D. Competency of operating management.
Answer: D
QUESTION: 192 Which of the following would provide the most reliable information on the risk associated with an auditable activity?
A. Event scenarios with regression analysis. B. Past audit findings and instances of management failures. C. Consequences and economic predictability of loss. D. Management assessment and corroboration by the internal audit activity.
Answer: D
QUESTION: 193 The chairperson of an organization's audit committee has obtained a risk management report that identifies significant industry concerns that impact the organization. The chairperson has asked the chief audit executive (CAE) to review these concerns and advise if they are relevant to the organization. How should the CAE respond?
A. Accept the engagement but communicate only with the audit committee to protect the confidentiality of the request. B. Decline the engagement because it is outside of the scope of the internal audit charter. C. Decline the engagement because it impairs the internal audit activity's independence. D. Accept the engagement but inform senior management of the request.
63
CIA-I
Answer: D
QUESTION: 194 Which of the following would have the least impact (either positive or negative) on an assessment of a department's control environment?
A. The department managed long-term investments, including investment in derivatives and other financial instruments, to maximize return. B. The department manager sets a tone of honesty and integrity in all business dealings and this tone is emulated by department personnel. C. Many department functions were duplicated or verified by other department employees as part of the department's normal procedures. D. Audit tests designed to verify compliance with control procedures detected a general failure to follow standard procedures for transaction authorization. Answer: A QUESTION: 195 Which of the following is a benefit from reduced testing during a particular phase of an audit engagement?
A. The size of the internal audit activity can be reduced. B. There is less concern about assessing inherent risk. C. The level of planned audit risk is lowered. D. Additional audit hours are available for pursuing other engagement objectives.
Answer: D
QUESTION: 196 An organization's external auditor has prepared a list of risks and issues and has recommended to senior management that the internal audit activity focus on these items. Senior management has forwarded the list to the chief audit executive (CAE). The CAE should
A. Incorporate the external auditor's requirements into the internal audit plan. B. Ignore the external auditor's requirements because they are outside of the internal audit activity's planned scope of work. C. Consider the issues raised by the external auditor for possible inclusion in the planned scope of work. D. Report the risks and issues to the audit committee for possible future attention.
64
CIA-I
Answer: C
QUESTION: 197 A company has established its environmental audit activity as part of its legal department rather than part of its internal audit activity, which reports to the audit committee. The board has requested that the chief audit executive (CAE) provide an annual opinion on whether environmental risks are being properly addressed. In these circumstances, the CAE should recommend to the audit committee that the internal audit activity
A. Review the recommendations in all environmental audit reports. B. Discuss with the environmental auditors the results of their reviews. C. Periodically carry out a quality assessment of the environmental audit activity. D. Include a review of environmental issues in some internal audit engagements.
Answer: C
QUESTION: 198 Which aspect of the audit function would be most impacted by a lack of coordination between an organization's internal and external auditors?
A. Responsiveness. B. Timeliness. C. Effectiveness. D. Efficiency.
Answer: D
QUESTION: 199 A chief audit executive used risk assessment to prepare the audit work schedule. Which of the following would be the least appropriate reason to modify the schedule?
A. Need for coordination of audit activities with the external auditors. B. Request for postponement since the audit would be too complicated. C. Change in the relative risk of auditable activities during the year. D. Budget constraints or expansions.
Answer: B
QUESTION: 200
65
CIA-I
Due to urgent requests from management, a busy internal audit activity finds that it can no longer meet all of its commitments contained in the annual audit plan. The best course of action for the chief audit executive to take would be to
A. Continue with the plan and seek opportunities to adjust priorities and reallocate resources. B. Advise senior management and request that they reconsider these additional requests using more rigorous risk assessment and prioritization factors. C. Advise the board and senior management and request a reassessment of the plan. D. Advise the board immediately and seek their support for additional resources to meet the needs of the plan.
Answer: C
QUESTION: 201 The chief audit executive (CAE) routinely provides activity reports to the board during quarterly board meetings. Senior management has asked to review the CAE's board presentation before each board meeting so that any issues or questions can be discussed beforehand. The CAE should
A. Provide the activity reports to senior management as requested and discuss any issues that may require action to be taken. B. Not provide activity reports to senior management because such matters are the sole province of the board. C. Disclose only those matters in the activity reports that pertain to expenditures and financial budgets of the internal audit activity. D. Provide information to senior management that pertains only to completed audit engagements and observations available in published engagement final communications.
Answer: A
QUESTION: 202 Reportable audit findings must be I. Documented by facts II. Supported by relevant evidence. III. Agreed to by management of the audited area. IV. Convincing enough to compel corrective action.
A. I and IV only. B. II and III only. C. I, II, and IV only. D. I, II, III, and IV.
66
CIA-I
Answer: C
QUESTION: 203 Which of the following is not an appropriate role of the internal audit activity in governance activities?
A. Support the board in enterprise-wide risk assessment. B. Ensure the timely implementation of audit recommendations. C. Monitor compliance with the organization's ethics policies. D. Discuss areas of significant risk.
Answer: B
QUESTION: 204 If management has not established a risk management process, the internal audit activity could
A. Take a proactive role that supplements traditional assurance activities. B. Identify and mitigate risks to the organization. C. Assume responsibility for the management of identified risks. D. Assume primary responsibility for determining if adequate and effective processes are in place.
Answer: A
QUESTION: 205 The chief audit executive's responsibility regarding control processes includes
A. Assisting senior management and the audit committee in the development of an annual assessment about internal control. B. Overseeing the establishment of internal control processes. C. Maintaining the organization's governance processes. D. Ensuring that the internal audit activity assesses all control processes annually.
Answer: A
QUESTION: 206
67
CIA-I
Regarding an organization's decision to retain an external audit firm, the chief audit executive (CAE) should
A. Work with the organization's chief financial officer to evaluate the external auditor's performance and together make the decision. B. Not be involved in this decision process as it would compromise the CAE's objectivity. C. Evaluate the external auditor's performance and retain the external auditor if quality and cost criteria are met. D. Assist the audit committee by facilitating the development of an appropriate evaluation process.
Answer: D
QUESTION: 207 The primary role of the internal audit activity in regard to an organization's ethical climate is to
A. Participate as chief ethics officer. B. Periodically assess the ethical climate. C. Utilize surveys to evaluate employee ethics. D. Demonstrate ethical behavior.
Answer: B
QUESTION: 208 Which of the following factors related to an organization's performance management system would not contribute to the organization's success?
A. Performance management is linked to competence and knowledge management. B. Subordinates and superiors have shared responsibility for the performance management process. C. Staff members own the performance management process, thereby ensuring implementation and accountability. D. Performance management is integrated into other organizational processes and human resource processes.
Answer: C
QUESTION: 209
68
CIA-I
Which of the following actions by a chief audit executive would be most effective in preventing fraud?
A. Ensure that the board is aware of all fraud that has been identified or reported. B. Train the internal audit staff in identifying fraud indicators. C. Review the adequacy of all policies that describe prohibited activities. D. Submit an annual report to the board on all fraud that has been detected.
Answer: C
QUESTION: 210 Which of the following should be the primary objective of an audit of an entity's business continuity plan?
A. Cost of testing and updating the plan. B. Delegation of responsibilities for the plan. C. Relationship of the plan to risk exposures. D. Efficiency of the planning procedures.
Answer: C
QUESTION: 211 Which of the following elements is important for an internal auditor to consider when performing a privacy risk assessment of an organization? I. Areas where personal information is collected, used, stored, and disseminated. II. Inherent risk. III. Privacy practices of competitors. IV. Third-party recipients of information.
A. III only. B. I and II only. C. I, II, and IV only. D. I, II, III, and IV.
Answer: C
QUESTION: 212 The main reason to establish internal controls in an organization is to
A. Encourage compliance with policies and procedures.
69
CIA-I
B. Safeguard the resources of the organization. C. Ensure the accuracy, reliability, and timeliness of information. D. Provide reasonable assurance on the achievement of objectives.
Answer: D QUESTION: 213 The top three sales representatives for a company consistently include non-allowable charges on their expense reports. Line management is reluctant to deny reimbursement of the charges for fear of losing the sales representatives. This situation has the greatest negative impact on which of the following internal control components?
A. Monitoring. B. Control environment. C. Information and communication. D. Control activities.
Answer: B
QUESTION: 214 According to the International Professional Practices Framework, risk is I. Defined as the negative effect of events that are expected to occur. II. Measured in terms of consequences. III. Measured in terms of likelihood.
A. I only. B. I and II only. C. II and III only. D. I, II, and III.
Answer: C
QUESTION: 215 Which of the following should be incorporated in a risk management policy? I. Boundaries and limit structures. II. Requirements for reporting risk. III. Risk authorities.
A. I and II only. B. I and III only. C. II and III only. D. I, II, and III.
70
CIA-I
Answer: D
QUESTION: 216 A high-volume retailer of consumer goods has used point-of-sale data to record sales and update inventory records for several years. When price changes are scheduled, corporate headquarters downloads a price change file to a computer server system at each store. Each store's assistant manager is responsible for checking the server for downloads and running the program that updates the store's price file at the authorized price update time. In comparison with having headquarters initiate the price update centrally, this approach to price updating will most likely
A. Decrease the risk that customers will be undercharged consistently for sales items. B. Decrease the risk that item prices will sometimes be inaccurate. C. Increase the risk that customers will be undercharged consistently for sales items. D. Increase the risk that item prices will sometimes be inaccurate.
Answer: D QUESTION: 217 Which is the least effective form of risk management?
A. Systems-based preventive control. B. People-based preventive control. C. Systems-based detective control. D. People-based detective control.
Answer: D
QUESTION: 218 Which of the following describes a control weakness?
A. Purchasing procedures are well designed and are followed unless otherwise directed by the purchasing supervisor. B. Prenumbered blank purchase orders are secured within the purchasing department. C. Normal operational purchases fall in the range from $500 to $1,000 with two signatures required for purchases over $1,000. D. The purchasing agent invests in a publicly traded mutual fund that lists the stock of one of the company's suppliers in its portfolio.
Answer: A
71
CIA-I
QUESTION: 219 An internal auditor is reviewing a new automated human resources system. The system contains a table of pay rates which are matched to the employee job classifications. The best control to ensure that the table is updated correctly for only valid pay changes would be to
A. Limit access to the data table to management and line supervisors who have the authority to determine pay rates. B. Require a supervisor in the department, who does not have the ability to change the table, to compare the changes to a signed management authorization. C. Ensure that adequate edit and reasonableness checks are built into the automated system. D. Require that all pay changes be signed by the employee to verify that the change goes to a bona fide employee.
Answer: B
QUESTION: 220 A daily report which lists unsuccessful attempts to log on to a computer system is a
A. Corrective control. B. Preventive control. C. Detective control. D. Compensating control.
Answer: C QUESTION: 221 Which of the following internal controls is likely to prevent pollution from waste disposal before it occurs, rather than detect it after it occurs?
A. Identification of large budget variances in disposal costs for hazardous chemicals. B. Restricted access to environmental department files. C. Formal on-the-job training program conducted by the environmental staff. D. Samples of water and solid waste taken daily with the results recorded in a log.
Answer: C
QUESTION: 222
72
CIA-I
An auditor for a large wholesaler is evaluating the controls over the approval and oversight of credit sales. Which of the following procedures would be a control weakness?
A. The credit department is responsible for approving shipments to all customers. B. The finance committee of the board of directors periodically reviews credit standards. C. Customers who fail to meet credit requirements must pay cash for shipments upon delivery. D. The sales department is responsible for determining the credit ratings of customers. Answer: D
QUESTION: 223 A dental insurance provider has implemented an electronic claim submission process and is concerned that dentists are submitting claims for services that were not provided. Which of the following control procedures would be most effective in preventing this type of fraud? A. Develop a program that identifies procedures performed on an individual which are either in excess of expectations based on the age of the insured or are similar to other procedures recently performed on the individual. B. Require all submitted claims to be followed by a signed statement by the dentist testifying to the fact that the claimed procedures were performed. C. Send confirmations to the dentists requesting them to confirm the exact nature of the claims submitted to the insurance provider. D. Develop an integrated test facility and submit false claims to verify that the system is detecting such claims on a consistent basis.
Answer: A
QUESTION: 224 Which of the following lists these audit steps in the correct chronological order? I. Create the engagement work program. II. Conduct the exit conference. III. Perform fieldwork. IV. Schedule the audit engagement. V. Issue a summary report of audit findings. A. I, IV, III, II, V. B. I, IV, II, III, V. C. IV, I, III, II, V. D. IV, III, I, V, II.
Answer: C
73
CIA-I
QUESTION: 225 To identify those components of a telecommunications system that present the greatest risk, an internal auditor should first
A. Review the open systems interconnect network model. B. Identify the network operating costs. C. Determine the business purpose of the network. D. Map the network software and hardware products into their respective layers.
Answer: C
QUESTION: 226 An auditor plans to analyze customer satisfaction, including (1) customer complaints recorded by the customer service department during the last three months; (2) merchandise returned in the last three months; and (3) responses to a survey of customers who made purchases in the last three months. Which of the following statements regarding this audit approach is correct?
A. Although useful, such an analysis does not address any risk factors. B. The survey would not consider customers who did not make purchases in the last three months. C. Steps 1 and 2 of the analysis are not necessary or cost-effective if the customer survey is comprehensive. D. Analysis of three months' activity would not evaluate customer satisfaction.
Answer: B
QUESTION: 227 When internal auditors provide consulting services, the scope of the engagement is primarily determined by
A. Internal auditing standards. B. The audit engagement team. C. The engagement client. D. The internal audit activity's charter.
Answer: C
QUESTION: 228 An internal auditor is assigned to conduct an audit of security for a local area network (LAN) in the finance department of the organization. Investment decisions, including
74
CIA-I
the use of hedging strategies and financial derivatives, use data and financial models which run on the LAN. The LAN is also used to download data from the mainframe to assist in decisions. Which of the following should be considered outside the scope of this security audit engagement?
A. Investigation of the physical security over access to the components of the LAN. B. The ability of the LAN application to identify data items at the field or record level and implement user access security at that level. C. Interviews with users to determine their assessment of the level of security in the system and the vulnerability of the system to compromise. D. The level of security of other LANs in the company which also utilize sensitive data.
Answer: D
QUESTION: 229 At the beginning of fieldwork in an audit of investments, an internal auditor noted that the interest rate had declined significantly since the engagement work program was created. The auditor should
A. Proceed with the existing program since this was the original scope of work that was approved. B. Modify the audit program and proceed with the engagement. C. Consult with management to verify the interest rate change and proceed with the engagement. D. Determine the effect of the interest rate change and whether the program should be modified.
Answer: D QUESTION: 230 Which of the following measurements could an auditor use in an audit of the efficiency of a motor vehicle inspection facility?
A. The total number of cars approved. B. The ratio of cars rejected to total cars inspected. C. The number of cars inspected per inspection agent. D. The average amount of fees collected per cashier. Answer: C
QUESTION: 231 A bakery chain has a statistical model that can be used to predict daily sales at individual stores based on a direct relationship to the cost of ingredients used and an
75
CIA-I
inverse relationship to rainy days. What conditions would an auditor look for as an indicator of employee theft of food from a specific store?
A. On a rainy day, total sales are greater than expected when compared to the cost of ingredients used. B. On a sunny day, total sales are less than expected when compared to the cost of ingredients used. C. Both total sales and cost of ingredients used are greater than expected. D. Both total sales and cost of ingredients used are less than expected.
Answer: B
QUESTION: 232 Which of the following procedures would provide the best evidence of the effectiveness of a credit-granting function?
A. Observe the process. B. Review the trend in receivables write-offs. C. Ask the credit manager about the effectiveness of the function. D. Check for evidence of credit approval on a sample of customer orders.
Answer: B
QUESTION: 233 An organization has developed a large database that tracks employees, employee benefits, payroll deductions, job classifications, and other similar information. In order to test whether data currently within the automated system are correct, an auditor should
A. Use test data and determine whether all the data entered are captured correctly in the updated database. B. Select a sample of data to be entered for a few days and trace the data to the updated database to determine the correctness of the updates. C. Use generalized audit software to provide a printout of all employees with invalid job descriptions. Investigate the causes of the problems. D. Use generalized audit software to select a sample of employees from the database. Verify the data fields.
Answer: D
QUESTION: 234
76
CIA-I
Senior management at a financial institution has received allegations of fraud at its derivatives trading desk and has asked the internal audit activity to investigate and issue a report concerning the allegations. The internal audit activity has not yet developed sufficient proficiency regarding derivatives trading to conduct a thorough fraud investigation in this area. Which of the following courses of action should the chief audit executive (CAE) take to comply with the Standards?
A. Engage the former head of the institution's derivatives trading desk to perform the investigation and submit a report with supporting documentation to the CAE. B. Request that senior management allow a delay of the fraud investigation until the internal audit activity's on-staff certified fraud examiner is able to obtain the appropriate training regarding the analysis of derivatives trading. C. Request that senior management exclude the internal audit activity from the investigation completely and instead contract with an external certified fraud examiner with derivatives experience to perform all aspects of the investigation and subsequent reporting. D. Contract with an external certified fraud examiner with derivatives experience to perform the investigation and subsequent reporting, with the chief audit executive approving the scope of the investigation and evaluating the adequacy of the work performed.
Answer: D
QUESTION: 235 According to the International Professional Practices Framework, internal auditors should possess which of the following competencies? I. Proficiency in applying internal auditing standards, procedures, and techniques. II. Proficiency in accounting principles and techniques. III. An understanding of management principles. IV. An understanding of the fundamentals of economics, commercial law, taxation, finance, and quantitative methods.
A. I only. B. II only. C. I and III only. D. I, III, and IV only.
Answer: D
QUESTION: 236 Which of the following are acceptable resources for a chief audit executive to use when developing a staffing plan? I. Co-sourcing arrangements. II. Employees from other areas of the organization.
77
CIA-I
III. The organization's external auditors. IV. The organization's audit committee members.
A. I only. B. I and II only. C. II and IV only. D. I, II, and IV only.
Answer: B QUESTION: 237 Which of the following would be a violation of the IIA Code of Ethics?
A. Reporting information that could be damaging to the organization, at the request of a court of law. B. Including an issue in the final audit report after management has resolved the issue. C. Participating in an audit engagement for which the auditor does not have the necessary experience or training. D. Accepting a gift that is a commercial advertisement available to the public. Answer: C QUESTION: 238 Which of the following is not an appropriate objective for a quality assurance and improvement program?
A. Continually monitor the internal audit activity's effectiveness. B. Assure conformance with the Standards and Code of Ethics. C. Perform an internal assessment at least once every five years. D. Communicate the results of quality assessments to the board.
Answer: C
QUESTION: 239 According to the International Professional Practices Framework, which of the following is true with respect to the different roles in the risk management process? I. Boards have an oversight role. II. Acceptance of residual risks can reside with the chief audit executive. III. The board can delegate the operation of the risk management framework to the management team. IV. The internal audit activity's role can range from having no responsibilities to managing and coordinating the process.
78
CIA-I
A. I only. B. II and IV only. C. I, III, and IV only. D. I, II, III, and IV.
Answer: C
QUESTION: 240 Which of the following types of risk factors are used within risk models to establish the priority of internal audit engagements? I. Management competence. II. Quality of internal controls. III. Audit staff experience. IV. Regulatory requirements.
A. II only. B. I, II, and III only. C. I, II, and IV only. D. I, III, and IV only.
Answer: C QUESTION: 241 Which of the following is not an appropriate type of coordination between the internal audit activity and regulatory auditors?
A. Regulatory auditors share their perspective on risk management, control, and governance with the internal auditors. B. Internal auditors perform fieldwork at the direction of the regulatory auditors. C. Internal auditors review copies of regulatory reports in planning related internal engagements. D. Regulatory and internal auditors exchange information about planned activities.
Answer: B QUESTION: 242 An organization's accounts payable function improved its internal controls significantly after it received an unsatisfactory audit report. When planning a follow-up audit of the function, what level of detection risk should be expected if the audit and sampling procedures used are unchanged from the prior audit? A. Detection risk is lower because control risk is lower. B. Detection risk is lower because control risk is higher. C. Detection risk is higher because control risk is lower.
79
CIA-I
D. Detection risk is unchanged although control risk is lower.
Answer: D QUESTION: 243 Which of the following is an appropriate role for the board in governance?
A. Preparing written organizational policies that relate to compliance with laws, regulations, ethics, and conflicts of interest. B. Ensuring that financial statements are understandable, transparent, and reliable. C. Assisting the internal audit activity in performing annual reviews of governance. D. Working with the organization's attorneys to develop a strategy regarding current litigation, pending litigation, or regulatory proceedings governance.
Answer: B QUESTION: 244 According to the International Professional Practices Framework, which of the following are allowable activities for an internal auditor? I. Advocating the establishment of a risk management function. II. Identifying and evaluating significant risk exposures during audit engagements. III. Developing a risk response for the organization if there is no chief risk officer. IV. Benchmarking risk management activities with other organizations. V. Documenting risk mitigation strategies and techniques.
A. IV and V only. B. I, II, and III only. C. I, II, IV, and V only. D. II, III, IV, and V only.
Answer: C QUESTION: 245 According to the International Professional Practices Framework, which of the following should be stated in the internal audit charter? I. Authorization for access to records. II. The internal audit activity's position within the organization. III. The relationship between the internal audit activity and the board. IV. The scope of internal audit activities.
A. I and IV only. B. II and III only. C. I, II, and IV only.
80
CIA-I
D. I, II, III, and IV.
Answer: C
QUESTION: 246 Which of the following is not an appropriate role for internal auditors after a disaster occurs?
A. Monitor the effectiveness of the recovery and control of operations. B. Correct deficiencies of the entity's business continuity plan. C. Recommend future improvements to the entity's business continuity plan. D. Assist in the identification of lessons learned from the disaster and the recovery operations.
Answer: B QUESTION: 247 Which component is the foundation of the COSO internal control framework?
A. Risk assessment. B. Control environment. C. Control activities. D. Monitoring.
Answer: B QUESTION: 248 Which of the following best describes the underlying premise of the COSO enterprise risk management framework?
A. Management should set objectives before assessing risk. B. Every entity exists to provide value for its stakeholders. C. Policies are established to ensure that risk responses are performed effectively. D. Enterprise risk management can minimize the impact and likelihood of unanticipated events.
Answer: B
QUESTION: 249 Which of the following is an example of sharing risk?
81
CIA-I
A. An organization redesigned a business process to change the risk pattern. B. An organization outsourced a portion of its services to a third-party service provider. C. An organization sold an unprofitable business unit to its competitor. D. In order to spread total risk, an organization used multiple vendors for critical materials. Answer: B
QUESTION: 250 A records management system is an example of what type of control? A. Preventive. B. Detective. C. Corrective. D. Directive.
Answer: A
QUESTION: 251 Which of the following procedures is not a step that an auditor would perform when planning an audit of an organization?
A. Obtaining detailed knowledge about the organization. B. Obtaining a management representation letter. C. Assessing the audit risk of the organization. D. Having discussions with the organization's management team.
Answer: B
QUESTION: 252 Which of the following risk assessment tools would best facilitate the matching of controls to risks?
A. Control matrix. B. Internal control questionnaire. C. Control flowchart. D. Program evaluation and review technique (PERT) analysis.
Answer: A
82
CIA-I
QUESTION: 253 Which of the following factors should be considered when determining the staff requirements for an audit engagement? I. The internal audit activity's time constraints. II. The nature and complexity of the area to be audited. III. The period of time since the area was last audited. IV. The auditors' preference to audit the area. V. The results of a preliminary risk assessment of the activity under review.
A. I and IV only. B. I, II, and V only. C. II, III, and V only. D. I, II, III, IV, and V.
Answer: B
83